Let's configure user and group permissions to control access on your TrueNAS Scale - Part 2
Вставка
- Опубліковано 15 жов 2024
- In this video I will show you how you can use the group and user permissions system to restrict access to your server areas. Thus, not all users will be able to access everything without having to. Thus, it protects people accessing information that should not be accessed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Leave your comment and share with your network. It's always good to know what needs improvement.
Don't forget to subscribe to the channel to receive tips and help.
To receive all notifications, tap the bell icon. It will change to a ringing bell to indicate that you have chosen to receive all notifications.
Brilliant overview of what feels like a very complicated system for a non IT admin personal user. Many thanks.
Thanks for the video and Thank God for Closed Caption.
Thanks for this video mate, its very helpful. Nice Ravensburger Antique World Map hehe. I have exactly the same one. Cheers from Venezuela 🙌
Thanks a lot for your Video. What i doesn't understand for what reason do you set the Group Mask with all permission, could you explain that?
Many thanks. Helped me a lot. I'm preparing my new server, to substitute my old Samba server on Ubuntu.
Nicely explained. Thank you.
Hi, thank you for your explanations and clear English
Thank you :)
brilliant done with explanation
is it possible to create a hidden share and allow users to see only folders that they have permissions?
Thanks for putting this together. I've been having some problems understanding the different between the Share and File systems ACL. Some feedback... the screen capture is rather blurry and your talking head in the corner is larger than it needs to be and block some of the clicks. Thanks again for putting this together I had to stopped and rewatch parts over and over.
Thank you for let m know. I will try to improve this point for my next videos.
Is hiding SMB folders from other users a problem? I tried to do these things and it didn’t work:
I enabled the option “Access-Based Share Enumeration” in the advanced options of the SMB share configuration.
I edited the ACL of the shared folder to assign the appropriate permissions to each user or group.
I restarted the Samba server, but all the folders are still visible to all users.
NFSv4 is enabled.
thats just SMB as far as ive seen i get this too when i do SMB share from windows server with access enumeration some clients dont 'see' the hidden flag
Hiding SMB folders from other users using "Access-Based Share Enumeration" (ABSE) is a common requirement and feature in many environments to control and restrict the visibility of folders based on user permissions. If you have enabled ABSE, configured the ACLs, and restarted the Samba server but still encounter issues with folder visibility, there may be additional factors or configurations affecting the behavior. Here are some troubleshooting steps and considerations to help you address the issue:
Verify ABSE Configuration:
Double-check the configuration settings for ABSE in the Samba share configuration to ensure that it is correctly enabled and applied to the desired shares.
Confirm that the version of Samba you are using supports ABSE and that there are no known issues or limitations with the specific configuration and setup.
Review ACL Settings:
Examine the ACLs (Access Control Lists) configured for the shared folders and ensure that they are correctly set to restrict access and visibility based on user and group permissions.
Verify that the ACLs are applied recursively to the subfolders and files within the shared folders as needed.
Test User and Group Permissions:
Test the folder visibility and access with different user accounts and groups to identify any discrepancies or issues with the permissions and configurations.
Ensure that the users and groups are correctly authenticated and mapped within the Samba and operating system configurations.
Check NFSv4 and Compatibility:
Evaluate the NFSv4 configuration and its interaction with the Samba and ACL configurations to ensure compatibility and consistency in access control and visibility settings.
Verify that NFSv4 is correctly configured and that there are no conflicts or issues between NFSv4 and Samba configurations.
Restart and Refresh Services:
Restart the Samba and NFSv4 services after making configuration changes to ensure that the new settings are applied and active.
Consider restarting the entire system or server to ensure that all configurations, services, and caches are refreshed and synchronized.
Consult Documentation and Support:
Refer to the documentation, forums, or support resources for Samba, NFSv4, and your specific operating system for additional guidance, best practices, and troubleshooting tips.
Seek assistance from experienced users, administrators, or support professionals who may have encountered similar issues and can provide insights and solutions.
By carefully reviewing, testing, and adjusting the configurations and permissions, you should be able to implement ABSE and ACL settings to hide SMB folders from other users based on their access rights and permissions in your environment.
icant see my created group in edit permission an going to add a group in my new share folder but i cant see the group i created
by public IP i am able to access my Truenas (TrueNAS-SCALE-23.10.1)system, but it give user login error
This is very confusing to a newbie. For example: (1) I see "Other" and "Other - default" at 8:42 and these have different permissions (one has None, and the other Read/Execute). What are these two entries? (2) You have selected "POSX_ADMIN" which very confusingly gives Read/Execute access to Other as I noted. Why would admin ACL permissions allow Others read/execute permissions by default? (3) I see "User Obj" and "Group Obj" but you did not create a group called "Obj" so why is this appearing in the list?
I can certainly help clarify some of the confusion you're experiencing.
"Other" refers to anyone who is not the owner or a member of the group associated with the file or directory. "Other - default" refers to the default permissions that are set when a new file or directory is created. By default, these permissions are set to allow read and execute access for all users, but they can be changed.
The "POSIX_ADMIN" permission is a special permission that grants a user or group administrative access to the system. This permission does not by default give read/execute access to "Other". It's possible that the default permissions for a specific directory or file were set to allow read/execute access for "Other", but this would be a separate issue.
"User Obj" and "Group Obj" refer to the owner and group associated with the file or directory. These permissions allow the owner and group to modify the file or directory. The "Obj" you see is short for "Object", which is a general term used to refer to files or directories in the context of ACL permissions.
I hope this helps clarify some of the confusion you were experiencing. Let me know if you have any further questions!
@@sauberlab-uk Thank you for the detail! Much appreciated :)
It's just that permission management in truenas is an awful pile of crap.
I managed to setup exactly what I needed by watching your videos, explained well, easy, down to the point. Maybe you can provide a video on how to harden TrueNAS if it's accessed via public. also how to "Not Allow" users to view parent folders, example John is only allowed to access (and view) /Dataset1/UsersDatasets/JohnDataset, but shouldn't be able to view /Dataset1/UsersDatasets or even reach that folder; I do know about the "access based share enum = yes" which can be enabled for SMB shares (and works 100%), but how do you do it when it's not an SMB share, like ssh access per local user?
I'm glad to hear that you found the videos helpful for setting up your TrueNAS system. Hardening a TrueNAS system for public access and configuring specific user permissions can be crucial for maintaining security and data integrity.
Here's a brief overview of some steps you can take to harden TrueNAS and restrict user access as described:
Firewall Configuration:
Configure firewall rules to restrict access to essential services and ports.
Consider using VPN or SSH tunneling for secure remote access instead of exposing services directly to the public.
HTTPS and Certificate Management:
Enable HTTPS for secure web access and ensure proper certificate management.
User and Group Management:
Create specific users and groups for different datasets and assign appropriate permissions.
Use ACLs (Access Control Lists) to further refine and restrict access to specific datasets.
Dataset and Share Configuration:
Configure datasets and shares with appropriate permissions and restrictions.
Utilize the "access based share enum = yes" option for SMB shares to restrict visibility of parent folders.
SSH Configuration:
For SSH access, you can use local user accounts and configure permissions using SSH keys and SSH configuration settings.
Limit SSH access to specific users or groups and restrict root access.
Audit and Monitoring:
Enable logging and monitoring to track access and detect any unauthorized or suspicious activity.
Regularly review logs and audit trails for security monitoring and compliance.
As for creating a video tutorial on these topics, it's a great suggestion, and I'll consider it for future content. In the meantime, you may find detailed guides and documentation available from TrueNAS and other security resources that can help you further configure and secure your system.
Your screen is clipped on the right hand side, which makes it hard (impossible) to see what you're clicking on.
Can you make a video how to set-up WebDAV with new app/addon on TrueNAS? I'm trying to set it up, but whenever I mount it and try to create a new folder on Windows mapped drive I always get the error... But I can read all files in it...
Default permissions... One user.
Thanks!
Thank you for the suggestion, I will add to my list of future videos.
@@sauberlab-uk I went with Open Media Vault. Seems more robust and easier for my needs. But thanks! 😊
What is the purpose of the “mask”?
Mask sets the maximum permissions available to everyone. If mask is set to just read then everyone with read permissions will be able to read as intended but at the same time everyone with write or execute privileges will only be able to read the file as well.
Thank you Hayden.
god, TrueNAS Scale is truly a huge mess, lol. Thanks anyway@@haydenstith
thank you!! was looking to understand why I kept getting an error when trying to add read only access to the restricted template - turns out, need a MASK entry first.. good lord.. thank you!
You're welcome! I'm glad that the tutorial was helpful for you. Don't hesitate to reach out if you have any more questions!
Hi, Ypur videos a big mess, I can't follow it. What do you do and why?
You could insert pictures of what happens in each state.
The right side of the screen is not visible, where do you click there?
My problem is: Error: dacl. Named (user or group) POSIX ACL entries require a mask entry to be present in the ACL. What I done worong?